de
Laptop, in dem eine Grafik zu sehen ist. Die Grafik zeigt einen Geschäftsmann vor einem Dashboard mit vielen Metriken
Von Marco Altenseuer am 09.07.2024 IT Security

Vulnerability management: security through vulnerability management

Vulnerability management is a critical aspect of information security, because the smaller the number of exploitable vulnerabilities, the smaller the potential points of attack. Vulnerabilities can be organizational, for example in the organization as a whole, in people and within processes, but also technical or systematic, for example in hardware, operating systems or applications. In this article, we will focus on technical vulnerabilities, which can often be identified by technical means.

A scenario from practice

One specific example was a publicly accessible server that a company used for external data exchange. This had a vulnerability that allowed unauthenticated access to the system and all documents. This could have led to the disclosure of sensitive information.

The four phases of vulnerability management

Vulnerability management consists of four phases. The first step is the detection of vulnerabilities. This can be done manually in very small environments by evaluating reports from a CERT such as the CERT-Bund. However, anyone who has ever tried this knows that the sheer number of reports and the manual check to see whether the exact version of an application affected is in use can quickly lead to an overload. This overload often means that the messages can no longer be processed or are simply ignored.

1. Erkennung (erfolgt durch den Einsatz von speziellen Tools, die Systeme scannen) 2. Bewertung (wird üblicherweise durch einen weltweiten Standard (CVSS) umgesetzt) 3. Meldung (erfolgt z.B. über Dashboards oder Tickets) 4. Behandlung (z.B. Installation eines Patches, Ausschalten einer Funktion)
The four phases of vulnerability management

1. detection through the use of vulnerability management tools

The use of specialized tools is more convenient and effective. These are able to detect various aspects of a system. This can include the version and patch status of an operating system or an application, but also the configuration. A distinction is made between different scanning methods, depending on the system and the target to be achieved.

External Scans
External scans are a view of a system “from the outside”. Among other things, the following scans can be performed:

  1. Discovery of hosts: This determines all active hosts in the network. This is important to understand the scope of the systems to be scanned.
  2. Ports scanning: Scanning ports on the hosts can identify open ports and potential vulnerabilities. Open ports can indicate insecure services or outdated software.
  3. Website Scans: External web applications are scanned to identify vulnerabilities such as cross-site scripting (XSS), SQL injection and other attack vectors.

Internal scans
Internal scans occur within the network and use credentials to access systems. They include:

  1. Credential Scans: This uses credentials to access systems. This enables the identification of vulnerabilities that are only visible after successful authentication.
  2. Compliance scans: These scans compare systems against a baseline standard. They check whether the configuration complies with the security guidelines, for example whether the password policy is configured or the monitoring software is active. The technical components of norms and standards such as ISO/IEC 27001, the BSI IT-Grundschutz compendium or CIS benchmarks can also be checked.

2. assessment of vulnerabilities

By using a tool to scan vulnerabilities, a general assessment is already carried out. This is based on the Common Vulnerability Scoring System (CVSS) and consists of several factors such as the attack vector, the complexity of a possible attack, whether interaction by a user is necessary and the affected protection goals. Depending on these factors, points are awarded, which can total between 0 and 10. The severity level is then derived from the points range.

The general assessment is therefore a good first point of reference for the assessment of vulnerabilities and can be used as the only indicator in many cases. However, some vulnerability management tools offer additional options for a more in-depth assessment. For example, it makes sense to first close vulnerabilities in systems that are publicly accessible, as in the example above. It is also possible to prioritize the treatment of vulnerabilities that have just been found to be actively exploited, e.g. by ransomware.

Tabelle CVSS Punkte - Schweregrad. 0Punkte: None (weiß); 0,1 bis 3,9 Punkte: Low (grün); 4,0 bis 6,9 Punkte: Medium (gelb); 7,0 bis 8,9 Punkte: High (orange); 9,0 bis 10,0 Punkte: Critical (rot)

3. reporting

Vulnerabilities can be reported in a variety of ways. The vulnerability management tool usually visualizes the detected vulnerabilities on a web interface, but also makes them available via API or is able to independently generate tickets in the ticket system. The important thing here is to use the established method in the company wherever possible in order to achieve acceptance among the teams that have to rectify these vulnerabilities. The exclusive use of another tool can be counterproductive here. Instead, the web interface can provide more in-depth information, such as where exactly the vulnerability was identified, how it can be rectified or links to further information from the manufacturer.

4. Behebung: Herausforderungen beim Patchen

Die Behebung von Schwachstellen ist die letzte Aufgabe vom Lebenszyklus einer Schwachstelle. Zwar kann in seltenen Fällen die Akzeptanz möglich sein, jedoch wird üblicherweise ein Patch installiert oder ein Workaround implementiert.
Das Verteilen von Patches oder Implementieren eines Workarounds kann jedoch auch dazu führen, das ein System für die Zeit des Patchens nicht verfügbar ist oder das mit dem Patch ein Bug installiert wurde. Daher sollte auch hier abhängig von der Bewertung entschieden werden, ob dieser Patch schnellstmöglich verteilt wird oder aber erst zur nächsten geplanten Wartung des Systems. Zudem sollte abgewägt werden, ob zuerst ein Test in einer Testumgebung durchgeführt wird oder die Behebung direkt in der Produktivumgebung erfolgen soll.

Fazit

Das Schwachstellenmanagement ist von entscheidender Bedeutung, um Sicherheitsrisiken zu minimieren und potenzielle Bedrohungen abzuwehren. Durch die Identifizierung und Behebung von Schwachstellen können Organisationen ihre Sicherheit aufrechterhalten und ihre Ziele schützen.

Mehr erfahren

Banner Blog Insights Zero Trust: Wie hybride Arbeitswelten sicher werden | SPIRIT/21

This blog post provides insights into the content of a live talk on the topics of Hybrid Work and Zero Trust.

Insights Zero Trust: How hybrid working environments are becoming secure

In the virtualization of infrastructures, you sometimes reach the limits of what is possible. But workarounds are often possible.

Updating the Trivy database in an air-gapped environment

How do you make a cloud environment both available at all times and secure against data loss?

Securely and with confidence in the cloud

Marco Altenseuer

Information Security Officer

Phone: +49 152 22595930
E-Mail:

Marco is our IT security specialist and will be happy to answer any questions you may have in this area.

Marco Altenseuer